US7949137B2 - Virtual disk management methods - Google Patents

Virtual disk management methods Download PDF

Info

Publication number
US7949137B2
US7949137B2 US11/777,322 US77732207A US7949137B2 US 7949137 B2 US7949137 B2 US 7949137B2 US 77732207 A US77732207 A US 77732207A US 7949137 B2 US7949137 B2 US 7949137B2
Authority
US
United States
Prior art keywords
disk
password
device code
key
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US11/777,322
Other versions
US20080065909A1 (en
Inventor
Rui-Hwa Chen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Via Technologies Inc
Original Assignee
Via Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Via Technologies Inc filed Critical Via Technologies Inc
Priority to US11/777,322 priority Critical patent/US7949137B2/en
Assigned to VIA TECHNOLOGIES, INC. reassignment VIA TECHNOLOGIES, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHEN, RUI-HWA
Publication of US20080065909A1 publication Critical patent/US20080065909A1/en
Application granted granted Critical
Publication of US7949137B2 publication Critical patent/US7949137B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Definitions

  • the invention relates generally to virtual disk management methods, and, more particularly, to virtual disk management methods with authority control mechanisms where specific users/groups can mount encrypted devices on specific hosts.
  • EDA Encrypted Device Application
  • Some applications such as EDA (Encrypted Device Application) can encrypt specific files as encrypted files, and mount the encrypted files as virtual disks.
  • the virtual disks may use various encryption algorithms to keep user information safe from attacks by viruses and hackers.
  • FIG. 1 is a flowchart of a conventional method for creating encrypted files by EDA.
  • EDA 10 generates a request asking for a file size of a virtual disk.
  • step S 120 user 20 sets the file size used for the virtual disk to EDA 10 .
  • step S 130 EDA 10 generates a request asking for a password corresponding to the virtual disk.
  • step S 140 user 20 sets the password for the virtual disk to EDA 10 .
  • step S 150 EDA 10 encrypts a file space with the file size according to the password to create an encrypted file 30 .
  • FIG. 2 is a flowchart of a conventional method for mounting encrypted files as virtual disks by EDA.
  • EDA 10 generates a request asking for a designation of a specific encrypted file to be mounted.
  • user 20 selects an encrypted file 30 .
  • step S 230 EDA 10 checks existence of the designated encrypted file 30 . If the encrypted file 30 does not exist (No in step S 240 ), the procedure is complete. If the encrypted file 30 exists (Yes in step S 240 ), in step S 250 , EDA 10 generates a request asking for a password corresponding to the encrypted file 30 .
  • step S 260 user 20 enters the password to EDA 10 .
  • step S 270 EDA 10 determines whether the password is correct. If not (No in step S 270 ), the procedure is complete. If so (Yes in step S 270 ), in step S 280 , the encrypted file 30 is mounted as a virtual disk 40 .
  • the file is encrypted according to the password set by user
  • the password may be easily ascertained, and the encrypted file may be used by others.
  • no authority control mechanism is provided by conventional virtual disks management mechanisms, thus lacking access flexibility for multiple users.
  • conventional virtual disk management mechanisms cannot recognize the host of the encrypted files, the encrypted files may be copied onto other hosts and used thereto.
  • Virtual disk management methods and systems are provided.
  • a file space is set and a first password is set.
  • a first device code is acquired.
  • the file space is encrypted according to the first password and the first device code to obtain an encrypted file.
  • a designation of the encrypted file is received.
  • a second password is received, and a second device code is acquired. It is determined whether the second password conforms to the first password, and whether the second device code conforms to the first device code. If so, the encrypted file is mounted as a virtual disk.
  • a file space is set and a first password is set.
  • a first device code is acquired.
  • the first device code is encrypted to obtain a disk root key.
  • the first password is encrypted according to the disk root key to obtain a disk encryption key.
  • the file space is encrypted according to the disk encryption key to obtain an encrypted file.
  • the encrypted file is used for a virtual disk.
  • a designation of an encrypted file is received, and a second password is set.
  • a second device code is acquired.
  • a disk root key corresponding to the encrypted file is decrypted to obtain a first device code. It is determined whether the second device code conforms to the first device code.
  • a disk encryption key corresponding to the encrypted file is decrypted according to the disk root key to obtain a first password. It is determined whether the second password conforms to the first password. If the second device code conforms to the first device code, and the second password conforms to the first password, the encrypted file is mounted as a virtual disk.
  • An embodiment of a virtual disk management system comprises a storage device and an encryption device application.
  • the encryption device application receives a designation of an encrypted file in the storage device, and a second password.
  • the encryption device application acquires a second device code.
  • the encryption device application decrypts a disk root key corresponding to the encrypted file to obtain a first device code.
  • the encryption device application determines whether the second device code conforms to the first device code.
  • the encryption device application decrypts a disk encryption key corresponding to the encrypted file according to the disk root key to obtain a first password.
  • the encryption device application determines whether the second password conforms to the first password. If the second device code conforms to the first device code, and the second password conforms to the first password, the encryption device application mounts the encrypted file as a virtual disk.
  • Virtual disk management methods and systems may take the form of program code embodied in a tangible media.
  • the program code When the program code is loaded into and executed by a machine, the machine becomes an apparatus for practicing the disclosed method.
  • FIG. 1 is a flowchart of a conventional method for creating encrypted files by EDA
  • FIG. 2 is a flowchart of a conventional method for mounting encrypted files as virtual disks by EDA;
  • FIG. 3 is a schematic diagram illustrating an embodiment of a virtual disk management system
  • FIG. 4 is a flowchart of an embodiment of a virtual disk management method for creating encrypted files.
  • FIG. 5 is a flowchart of an embodiment of a virtual disk management method for mounting encrypted files as virtual disks.
  • Virtual disk management methods and systems are provided.
  • FIG. 3 illustrates an embodiment of a virtual disk management system.
  • the virtual disk management system 300 comprises an encryption device application 310 and a storage device 320 .
  • the encryption device application 310 can receive a password 330 from an input device, and encrypt a file space in the storage device 320 according to the virtual disk management methods to obtain an encrypted file 321 .
  • the storage device 320 has a device code 322 .
  • the device code can be used to identify the storage device 320 .
  • the device code may be a code set by users or an identification code of a component in the storage device 320 .
  • the device code 322 may be a UUID (Universal Unique Identifier) of a hard disk, a UUID of a CPU (Central Processing Unit) of the storage device 320 , or an unique code of any component within the computer system.
  • UUID Universal Unique Identifier
  • the storage device 320 further comprises an access control list 323 defining access authorities towards the virtual disk corresponding to the encrypted file 321 for respective users/groups.
  • the access authorities comprise authorities of disk read, disk write, disk execution, and modification for a disk specific key corresponding to the access control list 323 .
  • the disk specific key is discussed later. It is understood that, in some embodiments, the encrypted access control list 323 can be stored in the encrypted file 321 .
  • FIG. 4 is a flowchart of an embodiment of a virtual disk management method for creating encrypted files.
  • UUID is employed as the device code for explanation, but is not limited thereto.
  • step S 410 a setting of a file size of a file space is received, and in step S 420 , a setting of a password is received.
  • the encryption device application can generate requests to users for the file size and the password.
  • step S 430 a UUID is acquired. It is noted that the UUID may correspond to the storage device or processing unit.
  • step S 440 the UUID is encrypted to obtain a disk rook key (DRK). It is understood that the disk rook key is generated using an asymmetric algorithm such as RSA, or a symmetric algorithm such as AES, DES and Blowfish.
  • the UUID is encrypted using RSA algorithm with a public key corresponding to the encryption device application to obtain the disk root key. In some embodiments, the UUID is encrypted using AES algorithm with a secret key corresponding to the encryption device application to obtain the disk root key.
  • the password is encrypted according to the disk root key to obtain a disk encryption key (DEK).
  • the access control list is encrypted according to the disk root key to obtain a disk specific key (DSK).
  • step S 470 the file space is encrypted according to the disk encryption key to obtain an encrypted file. It is understood that the disk specific key can be stored in the encrypted file.
  • FIG. 5 is a flowchart of an embodiment of a virtual disk management method for mounting encrypted files as virtual disks.
  • UUID is employed as the device code for explanation, but is not limited thereto.
  • step S 510 a designation of an encrypted file is received, and in step S 520 , a password is received.
  • step S 530 a UUID of a storage device or a processing unit of a host storing the encrypted file is acquired.
  • step S 540 the UUID is verified according to a disk root key corresponding to the encrypted file.
  • the disk root key is decrypted to obtain an original UUID. It is determined whether the acquired UUID conforms to the original UUID.
  • the disk rook key may be generated using an asymmetric algorithm or a symmetric algorithm.
  • the disk root key is decrypted using RSA algorithm with a private key corresponding to the encryption device application to obtain the original UUID. In some embodiments, the disk root key is decrypted using AES algorithm with a secret key corresponding to the encryption device application to obtain the original UUID.
  • the password is verified. In this step, a disk encryption key corresponding to the encrypted file is decrypted according to the disk root key to obtain an original password. It is determined whether the received password conforms to the original password. If the UUID verification or the password verification fails (the acquired UUID does not conform to the original UUID or the received password does not conform to the original password) (No in step S 560 ), the procedure is complete. If the UUID verification and the password verification pass (the acquired UUID conforms to the original UUID and the received password conforms to the original password) (Yes in step S 560 ), in step S 570 , the encrypted file is mounted as a virtual disk.
  • the encrypted file may be constructed into a RAID (Redundant Array of Independent Disks) system.
  • RAID Redundant Array of Independent Disks
  • the encrypted file is divided into several strips and stored in different disks.
  • the encrypted file is duplicated as several copies and stored in different disks.
  • respective disks in the RAID system can generate corresponding strips or copies according to the method in FIG. 4 . If respective disks are constructed by a common user and in the same storage device, respective disks may have a same disk encryption key. Additionally, respective disks may have different disk specific key based on various requirements.
  • respective disks in the RAID system may be mounted as virtual disks according to the method in FIG. 5 .
  • all disks of the RAID system can be completely mounted if the disk rook key and all disk specific keys of respective disks are correct.
  • Virtual disks management methods and systems may take the form of program code (i.e., executable instructions) embodied in tangible media, such as products, floppy diskettes, CD-ROMS, hard drives, or any other machine-readable storage medium, wherein, when the program code is loaded into and executed by a machine, such as a computer, the machine thereby becomes an apparatus for practicing the methods.
  • the methods may also be embodied in the form of program code transmitted over some transmission medium, such as electrical wiring or cabling, through fiber optics, or via any other form of transmission, wherein, when the program code is received and loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the disclosed methods.
  • the program code When implemented on a general-purpose processor, the program code combines with the processor to provide a unique apparatus that operates analogously to application specific logic circuits.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Virtual disks management methods and systems. First, a file space is set and a first password is set. A first device code is acquired. The file space is encrypted according to the first password and the first device code to obtain an encrypted file. Thereafter, a designation of the encrypted file is received. A second password is received, and a second device code is acquired. It is determined whether the second password conforms to the first password, and whether the second device code conforms to the first device code. If so, the encrypted file is mounted as a virtual disk.

Description

BACKGROUND OF THE INVENTION
1. Field of the Invention
The invention relates generally to virtual disk management methods, and, more particularly, to virtual disk management methods with authority control mechanisms where specific users/groups can mount encrypted devices on specific hosts.
2. Description of the Related Art
In computer systems, some applications such as EDA (Encrypted Device Application) can encrypt specific files as encrypted files, and mount the encrypted files as virtual disks. The virtual disks may use various encryption algorithms to keep user information safe from attacks by viruses and hackers.
Conventionally, EDA accepts a password from user and encrypts a file accordingly. During mounting of encrypted files, EDA also determines whether a password is correct, and mounts an encrypted file if the password is correct. FIG. 1 is a flowchart of a conventional method for creating encrypted files by EDA. In step S110, EDA 10 generates a request asking for a file size of a virtual disk. In step S120, user 20 sets the file size used for the virtual disk to EDA 10. In step S130, EDA 10 generates a request asking for a password corresponding to the virtual disk. In step S140, user 20 sets the password for the virtual disk to EDA 10. In step S150, EDA 10 encrypts a file space with the file size according to the password to create an encrypted file 30. FIG. 2 is a flowchart of a conventional method for mounting encrypted files as virtual disks by EDA. In step S210, EDA 10 generates a request asking for a designation of a specific encrypted file to be mounted. In step S220, user 20 selects an encrypted file 30. In step S230, EDA 10 checks existence of the designated encrypted file 30. If the encrypted file 30 does not exist (No in step S240), the procedure is complete. If the encrypted file 30 exists (Yes in step S240), in step S250, EDA 10 generates a request asking for a password corresponding to the encrypted file 30. In step S260, user 20 enters the password to EDA 10. In step S270, EDA 10 determines whether the password is correct. If not (No in step S270), the procedure is complete. If so (Yes in step S270), in step S280, the encrypted file 30 is mounted as a virtual disk 40.
As described, since the file is encrypted according to the password set by user, the password may be easily ascertained, and the encrypted file may be used by others. Additionally, no authority control mechanism is provided by conventional virtual disks management mechanisms, thus lacking access flexibility for multiple users. Further, since conventional virtual disk management mechanisms cannot recognize the host of the encrypted files, the encrypted files may be copied onto other hosts and used thereto.
BRIEF SUMMARY OF THE INVENTION
Virtual disk management methods and systems are provided.
In an embodiment of a virtual disk management method, a file space is set and a first password is set. A first device code is acquired. The file space is encrypted according to the first password and the first device code to obtain an encrypted file. Thereafter, a designation of the encrypted file is received. A second password is received, and a second device code is acquired. It is determined whether the second password conforms to the first password, and whether the second device code conforms to the first device code. If so, the encrypted file is mounted as a virtual disk.
In an embodiment of a virtual disk management method, a file space is set and a first password is set. A first device code is acquired. The first device code is encrypted to obtain a disk root key. The first password is encrypted according to the disk root key to obtain a disk encryption key. The file space is encrypted according to the disk encryption key to obtain an encrypted file. The encrypted file is used for a virtual disk.
In an embodiment of a virtual disk management method, a designation of an encrypted file is received, and a second password is set. A second device code is acquired. A disk root key corresponding to the encrypted file is decrypted to obtain a first device code. It is determined whether the second device code conforms to the first device code. A disk encryption key corresponding to the encrypted file is decrypted according to the disk root key to obtain a first password. It is determined whether the second password conforms to the first password. If the second device code conforms to the first device code, and the second password conforms to the first password, the encrypted file is mounted as a virtual disk.
An embodiment of a virtual disk management system comprises a storage device and an encryption device application. The encryption device application receives a designation of an encrypted file in the storage device, and a second password. The encryption device application acquires a second device code. The encryption device application decrypts a disk root key corresponding to the encrypted file to obtain a first device code. The encryption device application determines whether the second device code conforms to the first device code. The encryption device application decrypts a disk encryption key corresponding to the encrypted file according to the disk root key to obtain a first password. The encryption device application determines whether the second password conforms to the first password. If the second device code conforms to the first device code, and the second password conforms to the first password, the encryption device application mounts the encrypted file as a virtual disk.
Virtual disk management methods and systems may take the form of program code embodied in a tangible media. When the program code is loaded into and executed by a machine, the machine becomes an apparatus for practicing the disclosed method.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention will become more fully understood by referring to the following detailed description with reference to the accompanying drawings, wherein:
FIG. 1 is a flowchart of a conventional method for creating encrypted files by EDA;
FIG. 2 is a flowchart of a conventional method for mounting encrypted files as virtual disks by EDA;
FIG. 3 is a schematic diagram illustrating an embodiment of a virtual disk management system;
FIG. 4 is a flowchart of an embodiment of a virtual disk management method for creating encrypted files; and
FIG. 5 is a flowchart of an embodiment of a virtual disk management method for mounting encrypted files as virtual disks.
 DETAILED DESCRIPTION OF THE INVENTION
Virtual disk management methods and systems are provided.
FIG. 3 illustrates an embodiment of a virtual disk management system.
The virtual disk management system 300 comprises an encryption device application 310 and a storage device 320. The encryption device application 310 can receive a password 330 from an input device, and encrypt a file space in the storage device 320 according to the virtual disk management methods to obtain an encrypted file 321. The storage device 320 has a device code 322. The device code can be used to identify the storage device 320. The device code may be a code set by users or an identification code of a component in the storage device 320. For example, the device code 322 may be a UUID (Universal Unique Identifier) of a hard disk, a UUID of a CPU (Central Processing Unit) of the storage device 320, or an unique code of any component within the computer system. Additionally, the storage device 320 further comprises an access control list 323 defining access authorities towards the virtual disk corresponding to the encrypted file 321 for respective users/groups. The access authorities comprise authorities of disk read, disk write, disk execution, and modification for a disk specific key corresponding to the access control list 323. The disk specific key is discussed later. It is understood that, in some embodiments, the encrypted access control list 323 can be stored in the encrypted file 321.
FIG. 4 is a flowchart of an embodiment of a virtual disk management method for creating encrypted files. In this embodiment, UUID is employed as the device code for explanation, but is not limited thereto.
In step S410, a setting of a file size of a file space is received, and in step S420, a setting of a password is received. Similarly, the encryption device application can generate requests to users for the file size and the password. In step S430, a UUID is acquired. It is noted that the UUID may correspond to the storage device or processing unit. In step S440, the UUID is encrypted to obtain a disk rook key (DRK). It is understood that the disk rook key is generated using an asymmetric algorithm such as RSA, or a symmetric algorithm such as AES, DES and Blowfish. In some embodiments, the UUID is encrypted using RSA algorithm with a public key corresponding to the encryption device application to obtain the disk root key. In some embodiments, the UUID is encrypted using AES algorithm with a secret key corresponding to the encryption device application to obtain the disk root key. In step S450, the password is encrypted according to the disk root key to obtain a disk encryption key (DEK). In step S460, the access control list is encrypted according to the disk root key to obtain a disk specific key (DSK). In step S470, the file space is encrypted according to the disk encryption key to obtain an encrypted file. It is understood that the disk specific key can be stored in the encrypted file.
FIG. 5 is a flowchart of an embodiment of a virtual disk management method for mounting encrypted files as virtual disks. Similarly, in this embodiment, UUID is employed as the device code for explanation, but is not limited thereto.
In step S510, a designation of an encrypted file is received, and in step S520, a password is received. In step S530, a UUID of a storage device or a processing unit of a host storing the encrypted file is acquired. In step S540, the UUID is verified according to a disk root key corresponding to the encrypted file. In this step, the disk root key is decrypted to obtain an original UUID. It is determined whether the acquired UUID conforms to the original UUID. As described, the disk rook key may be generated using an asymmetric algorithm or a symmetric algorithm. In some embodiments, the disk root key is decrypted using RSA algorithm with a private key corresponding to the encryption device application to obtain the original UUID. In some embodiments, the disk root key is decrypted using AES algorithm with a secret key corresponding to the encryption device application to obtain the original UUID. In step S550, the password is verified. In this step, a disk encryption key corresponding to the encrypted file is decrypted according to the disk root key to obtain an original password. It is determined whether the received password conforms to the original password. If the UUID verification or the password verification fails (the acquired UUID does not conform to the original UUID or the received password does not conform to the original password) (No in step S560), the procedure is complete. If the UUID verification and the password verification pass (the acquired UUID conforms to the original UUID and the received password conforms to the original password) (Yes in step S560), in step S570, the encrypted file is mounted as a virtual disk.
It is understood that since a disk with excessively large volumes may increase maintenance and management difficulties of virtual disks, in some embodiments, the encrypted file may be constructed into a RAID (Redundant Array of Independent Disks) system. For example, in the RAID 0 architecture, the encrypted file is divided into several strips and stored in different disks. In the RAID 1 architecture, the encrypted file is duplicated as several copies and stored in different disks. In some embodiments, respective disks in the RAID system can generate corresponding strips or copies according to the method in FIG. 4. If respective disks are constructed by a common user and in the same storage device, respective disks may have a same disk encryption key. Additionally, respective disks may have different disk specific key based on various requirements. Further, respective disks in the RAID system may be mounted as virtual disks according to the method in FIG. 5. During disk mounting, all disks of the RAID system can be completely mounted if the disk rook key and all disk specific keys of respective disks are correct.
In the virtual disk management method and systems, specific users/groups can mount encrypted devices on specific hosts. Additionally, the authority control mechanisms of virtual disk management are improved, increasing access flexibility for virtual disk users.
Virtual disks management methods and systems, or certain aspects or portions thereof, may take the form of program code (i.e., executable instructions) embodied in tangible media, such as products, floppy diskettes, CD-ROMS, hard drives, or any other machine-readable storage medium, wherein, when the program code is loaded into and executed by a machine, such as a computer, the machine thereby becomes an apparatus for practicing the methods. The methods may also be embodied in the form of program code transmitted over some transmission medium, such as electrical wiring or cabling, through fiber optics, or via any other form of transmission, wherein, when the program code is received and loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the disclosed methods. When implemented on a general-purpose processor, the program code combines with the processor to provide a unique apparatus that operates analogously to application specific logic circuits.
While the invention has been described by way of example and in terms of preferred embodiment, it is to be understood that the invention is not limited thereto. Those skilled in the technology can still make various alterations and modifications without departing from the scope and spirit of this invention. Therefore, the scope of the present invention shall be defined and protected by the following claims and their equivalents.

Claims (17)

1. A virtual disk management method in a system comprising a processing unit, comprising:
setting a file space;
setting a first password;
acquiring a first device code;
encrypting the first device code to obtain a disk root key by the processing unit;
encrypting the first password according to the disk root key to obtain a disk encryption key by the processing unit; and
encrypting the file space according to the disk encryption key to obtain an encrypted file by the processing unit, where the encrypted file is used for a virtual disk.
2. The method of claim 1 further comprising:
receiving a designation of the encrypted file;
receiving a second password;
acquiring a second device code;
decrypting the disk root key to obtain the first device code;
determining whether the second device code conforms to the first device code;
decrypting the disk encryption key according to the disk root key to obtain the first password;
determining whether the second password conforms to the first password; and
if the second device code conforms to the first device code, and the second password conforms to the first password, mounting the encrypted file as the virtual disk.
3. The method of claim 2 further comprising:
obtaining an access control list; and
encrypting the access control list according to the disk root key to obtain a disk specific key.
4. The method of claim 3 further comprising:
obtaining the disk specific key;
decrypting the disk specific key according to the disk root key to obtain the access control list;
retrieving an access authority towards the virtual disk for a specific user according to the access control list; and
providing the specific user to access the virtual disk according to the access authority.
5. The method of claim 1 further comprising constructing the encrypted file as a RAID system, where respective strips in the RAID system correspond to various disk specific keys or a common disk specific key.
6. The method of claim 1 further comprising obtaining the first device code of a storage device or a processing unit.
7. The method of claim 1 wherein the first device code comprises a UUID of the storage device or a processing unit.
8. A virtual disk management method in a system comprising a processing unit, comprising:
setting a file space;
setting a first password;
acquiring a first device code;
encrypting the file space according to the first password and the first device code to obtain an encrypted file by the processing unit, wherein the first device code is encrypted to obtain a disk root key, the first password is encrypted according to the disk root key to obtain a disk encryption key, and the file space is encrypted according to the disk encryption key to obtain the encrypted file;
receiving a designation of the encrypted file;
receiving a second password;
acquiring a second device code;
determining whether the second password conforms to the first password;
determining whether the second device code conforms to the first device code;
if the second device code conforms to the first device code, and the second password conforms to the first password, mounting the encrypted file as a virtual disk.
9. The method of claim 8 further comprising:
decrypting the disk root key to obtain the first device code; and
decrypting the disk encryption key according to the disk root key to obtain the first password.
10. The method of claim 8 further comprising:
obtaining an access control list; and
encrypting the access control list according to the disk root key to obtain a disk specific key.
11. The method of claim 10 further comprising:
obtaining the disk specific key;
decrypting the disk specific key according to the disk root key to obtain the access control list;
retrieving an access authority towards the virtual disk for a specific user according to the access control list; and
providing the specific user to access the virtual disk according to the access authority.
12. The method of claim 11 further comprising obtaining a UUID of a storage device or a processing unit as the first device code.
13. A virtual disk management method in a system comprising a processing unit, comprising:
receiving a designation of an encrypted file;
receiving a second password;
acquiring a second device code;
decrypting a disk root key corresponding to the encrypted file to obtain a first device code by the processing unit;
determining whether the second device code conforms to the first device code;
decrypting a disk encryption key corresponding to the encrypted file according to the disk root key to obtain a first password by the processing unit;
determining whether the second password conforms to the first password; and
if the second device code conforms to the first device code, and the second password conforms to the first password, mounting the encrypted file as a virtual disk,
wherein the first device code is encrypted to obtain a disk root key, the first password is encrypted according to the disk root key to obtain a disk encryption key, and the file space is encrypted according to the disk encryption key to obtain the encrypted file.
14. The method of claim 13 further comprising:
obtaining a disk specific key corresponding to the encrypted file;
decrypting the disk specific key according to the disk root key to obtain an access control list;
retrieving an access authority towards the virtual disk for a specific user according to the access control list; and
providing the specific user to access the virtual disk according to the access authority.
15. The method of claim 14 further comprising encrypting the access control list according to the disk root key to obtain the disk specific key.
16. The method of claim 13 further comprising acquiring the second device code of a storage device or a processing unit.
17. The method of claim 16 wherein the second device code comprises a UUID of the storage device or the processing unit.
US11/777,322 2006-09-07 2007-07-13 Virtual disk management methods Active 2030-02-24 US7949137B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/777,322 US7949137B2 (en) 2006-09-07 2007-07-13 Virtual disk management methods

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US82478106P 2006-09-07 2006-09-07
US11/777,322 US7949137B2 (en) 2006-09-07 2007-07-13 Virtual disk management methods

Publications (2)

Publication Number Publication Date
US20080065909A1 US20080065909A1 (en) 2008-03-13
US7949137B2 true US7949137B2 (en) 2011-05-24

Family

ID=39171176

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/777,322 Active 2030-02-24 US7949137B2 (en) 2006-09-07 2007-07-13 Virtual disk management methods

Country Status (1)

Country Link
US (1) US7949137B2 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8788842B2 (en) * 2010-04-07 2014-07-22 Apple Inc. System and method for content protection based on a combination of a user PIN and a device specific identifier
US8510552B2 (en) 2010-04-07 2013-08-13 Apple Inc. System and method for file-level data protection
US9182982B1 (en) * 2011-05-06 2015-11-10 Symantec Corporation Techniques for creating an encrypted virtual hard disk
US8918653B2 (en) * 2012-08-10 2014-12-23 International Business Machines Corporation Protection of interpreted source code in virtual appliances
US9165151B2 (en) * 2013-03-13 2015-10-20 Fred Federspiel Systems, methods, and devices for encrypted data management
US9171145B2 (en) * 2013-05-24 2015-10-27 Symantec Corporation Protecting cryptographic secrets using file system attributes
US10498726B2 (en) * 2016-03-22 2019-12-03 International Business Machines Corporation Container independent secure file system for security application containers
US11372984B2 (en) * 2019-08-14 2022-06-28 International Business Machines Corporation Key-compressible encryption

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7043637B2 (en) * 2001-03-21 2006-05-09 Microsoft Corporation On-disk file format for a serverless distributed file system
US20070078866A1 (en) * 2005-02-10 2007-04-05 Yoshikazu Takashima Information processing apparatus and method, and computer program
US20070110044A1 (en) * 2004-11-17 2007-05-17 Matthew Barnes Systems and Methods for Filtering File System Input and Output
US20070143459A1 (en) * 2005-12-19 2007-06-21 Lucent Technologies Inc. Protection of privacy-sensitive information through redundancy, encryption and distribution of information
US7373451B2 (en) * 2003-12-08 2008-05-13 The Board Of Trustees Of The Leland Stanford Junior University Cache-based system management architecture with virtual appliances, network repositories, and virtual appliance transceivers

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7043637B2 (en) * 2001-03-21 2006-05-09 Microsoft Corporation On-disk file format for a serverless distributed file system
US7373451B2 (en) * 2003-12-08 2008-05-13 The Board Of Trustees Of The Leland Stanford Junior University Cache-based system management architecture with virtual appliances, network repositories, and virtual appliance transceivers
US20070110044A1 (en) * 2004-11-17 2007-05-17 Matthew Barnes Systems and Methods for Filtering File System Input and Output
US20070078866A1 (en) * 2005-02-10 2007-04-05 Yoshikazu Takashima Information processing apparatus and method, and computer program
US20070143459A1 (en) * 2005-12-19 2007-06-21 Lucent Technologies Inc. Protection of privacy-sensitive information through redundancy, encryption and distribution of information

Also Published As

Publication number Publication date
US20080065909A1 (en) 2008-03-13

Similar Documents

Publication Publication Date Title
US9547774B2 (en) System and method for distributed deduplication of encrypted chunks
US7949137B2 (en) Virtual disk management methods
EP2876574B1 (en) Attestation of data sanitization
JP4782871B2 (en) Device access control program, device access control method, and information processing apparatus
TWI540453B (en) Sector map-based rapid data encryption policy compliance
US9037856B2 (en) System and method for distributed deduplication of encrypted chunks
US8997198B1 (en) Techniques for securing a centralized metadata distributed filesystem
TWI312952B (en) Method of protecting information in a data storage device and data storage device for use with a host computer
US20080077807A1 (en) Computer Hard Disk Security
JP5417092B2 (en) Cryptography speeded up using encrypted attributes
US20080184035A1 (en) System and Method of Storage Device Data Encryption and Data Access
US20080181406A1 (en) System and Method of Storage Device Data Encryption and Data Access Via a Hardware Key
US20100030982A1 (en) Backing up digital content that is stored in a secured storage device
US20080052537A1 (en) Storage device, write-back method, and computer product
JP2008072717A (en) Hard disc streaming cryptographic operations with embedded authentication
EP2466511B1 (en) Media storage structures for storing content and devices for using such structures
GB2387937A (en) Secure CPU and Memory Management Unit with Cryptographic extensions
JP2004510367A (en) Protection by data chunk address as encryption key
TW200535815A (en) Information processing device and method, program, and recording medium
TW201310276A (en) Encrypted chunk-based rapid data encryption policy compliance
KR20140051350A (en) Digital signing authority dependent platform secret
JP2008219871A (en) System and method of storage device data encryption and data access via hardware key
US20060143477A1 (en) User identification and data fingerprinting/authentication
JP5511925B2 (en) Encryption device with access right, encryption system with access right, encryption method with access right, and encryption program with access right
US8667278B2 (en) Information processing apparatus and data transmission method of information processing apparatus

Legal Events

Date Code Title Description
AS Assignment

Owner name: VIA TECHNOLOGIES, INC., TAIWAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CHEN, RUI-HWA;REEL/FRAME:019553/0533

Effective date: 20070702

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12